今天,老胳膊的实验是EZ×××的配置方法,请看笔记及配置内容。

=========client mode ez***==========

server端配置:

aaa new-model
aaa authentication login remote local    /名字叫remote
aaa authorization network remote local

ip local pool ippool 100.1.1.1 100.1.1.100

username cisco password cisco

crypto isakmp policy 10
  hash md5
  authentication pre-share
  group 2

crypto isakmp client configuration group ez***group
  key cisco
  pool ippool
  wins 10.1.1.1
  dns 2.2.2.2

crypto ipsec transform-set cisco esp-des esp-md5-hmac

crypto dynamic-map cisco 10
  set transform-set cisco
  reverse-route (会自动生成对端通信点的32位路由,根据acl来处理路由需要加上static)

crypto map cisco client authentication list remote
crypto map cisco isakmp authorization list remote
crypto map cisco client configuration address respond   //按需推送地址

crypto map cisco 10 ipsec-isakmp dynamic cisco

inter fa0/0.20
 crypto map cisco


client端配置:
crypto ipsec client ez*** cisco   //名字cisco,本地有效
 connect manual                  //连接手段
 group ez***group key cisco
 mode client                     (只允许client主动发起)
 peer 20.1.1.2                   (指定server端)

inter fa0/0.20
cry ipsec client ez*** cisco outside(默认是外部接口)

inter lo 0
cry ipsec client ez*** cisco inside

#crypto ipsec client ez*** connect    拨入
#crypto ipsec client ez*** xauth


sh cry ipsec client ez***

测试:
ping 10.1.1.1 so lo 0 re 0
sh cry en conn acti

 

注意:Split Tunnel List,配置client去哪里的流量进行加密
在ez*** server端配置acl,如:
ip access-list ex ***
per ip host 10.1.1.1 100.1.1.0 0.0.0.255

在crypto isakmp client configuration group ez***group掉用ACL
   acl ***

 

 


=========network模式配置==========
cry ipse client ez*** cisco
mode network-extension

cry ipse cli ez*** connect
crypto ipsec client ez*** xauth

sh cry ipsec client ez***
没有得到新的IP地址(连接时,使用的是源自于自己的地址)

ping 10.1.1.1 so lo 0 re 10

 

==========组策略配置法=========
aaa new-model
aaa authentication login remote local
aaa authorization network remote local

ip local pool ippool 100.1.1.1 100.1.1.100

username cisco password cisco

crypto isakmp policy 10
  hash md5
  authentication pre-share
  group 2

crypto isakmp client configuration group ipsecgroup
  key cisco
  pool ippool
  wins 10.1.1.1
  dns 2.2.2.2

cry isakmp profile cicso
  match identity group ipsecgroup
  client authentication list remote
  isakmp authorization list remote
  client configuration address respond

crypto ipsec transform-set cisco esp-des esp-md5-hmac

crypto dynamic-map cisco 10
  set transform-set cisco
  set isakmp-profile cisco
  reverse-route

crypto map cisco 10 ipsec-isakmp dynamic cisco

inter fa0/0
cry map cisco

 


==========第三种配置方法==========
aaa new-model
aaa authentication login remote local
aaa authorization network remote local

username cisco password cisco

ip local pool ippool 100.1.1.1 100.1.1.100

crypto isakmp policy 10
  hash md5
  authentication pre-share
  group 2

crypto isakmp client configuration group ipsecgroup
  key cisco
  pool ippool
  wins 10.1.1.1
  dns 2.2.2.2

cry isakmp profile cicso
  match identity group ipsecgroup
  client authentication list remote
  isakmp authorization list remote
  client configuration address respond
  virtual-template 100

crypto ipsec transform-set cisco esp-des esp-md5-hmac

crypto ipsec profile cisco
  set transform-set cisco
  set isakmp-profile cisco

inter fa0/0
ip nat outside
ip virtual-reassembly

interface virtual-template100 type tunnel
  ip unnumbered fa0/0
  ip nat inside
  ip virtual-reassembly
  tunnel source fa0/0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile cisco
 

关于×××的连载,有兴趣的朋友可以参考下面文章:

老胳膊×××连载(七)——DM×××配置


老胳膊×××连载(六)——EZ×××配置


老胳膊×××连载(五)——点对多点×××,配置动态map


老胳膊×××连载(四)——PIX配置简单L2L-×××


老胳膊×××连载(三)——×××协商过程剖析


老胳膊×××连载(二)——分享个人总结——×××重点


老胳膊×××连载(一)——L2L ×××的三种配法